b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nAudit Report\nCyber Security Risk Management\nPractices at the Bonneville Power\nAdministration\n\n\n\n\nDOE/IG-0807                      December 2008\n\x0c                                Department of Energy\n                                     Washington, DC 20585\n\n                                     December 9, 2 0 0 8\n\n\n\n MEMORANDUM FOR THE SECRETARY\n\n FROM:\n                          Inspector General\n\nSUBJECT:                  Audit Report on "Cyber Security Risk Management Practices at\n                          the Bonneville Power Administration"\n\nBACKGROUND\n\nThe Bonneville Power Administration (Bonneville) provides electrical power to millions\nof custoniers in eight states in the Pacific Northwest. To support this critical function,\nBonneville makes extensive use of a number of information systems to conduct various\nactivities, including financial management, operation of extensive electricity transmission\nsystems, and marketing and transferring wholesale electrical power. Some of\nBonneville\'s most sensitive systems are used to help control the flow of electricity to the\npower grid. Should any of these control systems be rendered inoperable for an extended\nperiod, Bonneville\'s customer base could be adversely impacted.\n\nTo help identify and manage risk, all Federal entities are required to certify and accredit\n(C&A) their information systems. The C&A process is a recognized, methodical process\ndesigned to ensure that information systems are secure prior to beginning operation and\nthat they remain so throughout their lifecycle. The C&A process includes specific steps\nto recognize and address risks, determine whether system security controls are in place\nand operating effectively, and ensure that changes to a system are adequately tested and\napproved. In light of the growing threat to security over information systems supporting\ncritical infrastructure, we initiated this audit to determine whether Bonneville\'s cyber\nsecurity program adequately protected its data and information systems.\n\nRESULTS OF AUDIT\n\nBonneville had taken steps designed to strengthen its cyber security program. Our\nreview, however, identified risk management weaknesses related to the C&A of\nBonneville\'s critical information systems. If not adequately addressed, these weaknesses\ncould adversely impact the security of Bonneville\'s critical systems and the data they\ncontain. In particular, Bonneville had not always:\n\n         Appropriately identified and addressed potential risks to critical systems and\n         data, to include systems controlling electricity transmission;\n\n         Ileveloped adequate security plans for each of the four systems we reviewed;\n\n\n\n\n                                 @     Printed with soy ink on rrcycled paper\n\x0c         Ensured that physical and cyber security controls were tested and operating as\n         intended; and,\n\n         Developed corrective action plans necessary to resolve weaknesses in a number\n         of important control areas.\n\nProblems with the certification of these systems - some of which are integral to\ncontrolling electrical transmission to western portions of the U.S. - were attributable to\nBonneville\'s failure to fully adopt a risk-based approach for implementing security\ncontrols that satisfied Federal requirements. In addition, Bonneville had not adequately\nemphasized the importance of a robust cyber security program through involvement of\nsystem and information owners. Without in~provements,Boimeville\'s systems, including\nthose that support the western energy control area\'s critical infrastructure, may not be\nadequately protected from external attacks, insider threats, or inadvertent mistakes.\n\n\'To its credit, Bonneville had recognized problems with its cyber risk management\nprogram and was taking action to address certain weaknesses. For instance, it was\nworking to formally re-approve certain systems for operation through the C&A process.\nIn addition, Bonneville noted that it had begun development of cyber security manuals\ndesigned to define security responsibilities for system and information owners and\ncontinued to maintain strong controls against network system intrusions.\n\nThese actions are positive steps that should help Bonneville strengthen the protective\nmeasures applied to its critical information systems. Our report contains several\nrecomn~endationsfor additional action that, if fully implemented, should help Bonneville\nimprove its overall cyber security posture.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendations and pledged to correct\nproblems with its cyber risk management program. Bonneville acknowledged risk\nmanagement problems, however, it noted that C&A, while important, is but one part of\nits overall cyber security program. Management\'s comments and our response are more\nfully discussed in the body of the report. Management\'s comments are included in their\nentirety in Appendix 3.\n\nAttachment\n\ncc: Acting Deputy Secretary\n    Chief of Staff\n    Administrator, Bonneville Power Administration\n    Chief Information Officer\n    Chief Health, Safety and Security Officer\n\x0cREPORT ON CYBER SECURITY RISK MANAGEMENT\nPRACTICES AT THE BONNEVILLE POWER ADMINISTRATION\n\nTABLE OF\nCONTENTS\n\nProtection of Information Systems\n\nDetails of Finding ................................................................................................................1\n\nRecommendations and Comments.......................................................................................7\n\nAppendices\n\n1.    Objective, Scope, and Methodology ............................................................................9\n\n2.    Prior Reports...............................................................................................................10\n\n3.    Management Comments.............................................................................................12\n\x0cProtection of Information Systems\n\nEnsuring Security     The certification and accreditation (C&A) process is\nover Information      designed to ensure that information systems are secure\nSystems               prior to beginning operation and that they remain so\n                      throughout their lifecycle. The C&A process includes\n                      formal steps to recognize and address risks, determine\n                      whether system security controls are in place and operating\n                      effectively, and ensure that changes to a system are\n                      adequately tested and approved. The National Institute of\n                      Standards and Technology (NIST) emphasizes the\n                      importance of an effective C&A process when developing\n                      and implementing information systems. Specifically, NIST\n                      notes that "The successful completion of the security\n                      certification and accreditation process provides agency\n                      officials with the necessary confidence that the information\n                      system has adequate security controls, that any\n                      vulnerabilities in the system have been considered in the\n                      risk-based decision to authorize processing, and that\n                      appropriate plans and funds have been identified to correct\n                      any deficiencies in the information system." Reporting\n                      instructions published annually by the Office of\n                      Management and Budget (OMB) for the Federal\n                      Information Security Management Act require that Federal\n                      organizations adhere to NIST cyber security related\n                      directives/guidance.\n\n                      Our review of the Bonneville Power Administration\n                      (Bonneville or BPA) revealed, however, that it had not\n                      fully implemented Federal requirements for certifying and\n                      accrediting a number of its systems. Specifically, we noted\n                      that responsible officials had not always identified and\n                      addressed system risks and system security plans were\n                      either not developed or were missing descriptions of key\n                      controls needed to protect information. In addition, testing\n                      of security controls was sometimes not conducted,\n                      insufficient, or was not appropriately documented.\n                      Corrective action plans were also not always developed to\n                      address identified weaknesses in a timely manner.\n\n                                   Risk Identification and Mitigation\n\n                      Although specifically required by Federal and Department\n                      of Energy (Department) directives, responsible officials\n                      had not always ensured that risks to information systems\n                      were appropriately identified and mitigated. Specifically,\n                      we found that formal risk assessments had not been\n                      conducted and/or finalized and that contingency plans had\n                      not always been developed to address recovery from a\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0c                          system disruption. In particular, a formal risk assessment\n                          had not been completed for any of the four systems we\n                          reviewed. Although a draft assessment was prepared for\n                          the Control Center System (CCS) more than a year prior to\n                          our review, 5 of the 14 identified risks were missing key\n                          elements such as the analyses of vulnerabilities and their\n                          related impact. In addition, the CCS risk assessment was\n                          never finalized.\n                          While a report developed by the certification agent\n                          attempted to analyze risks, it excluded information\n                          associated with NIST controls relevant to identification and\n                          authentication, physical and environmental protection, and\n                          systems and communications protection even though these\n                          areas had controls described as failing during certification\n                          testing. The report also disclosed that without complete\n                          risk information, "it is difficult to objectively assess the\n                          validity and veracity of existing security controls and\n                          control enhancements, and to recommend those which will\n                          most effectively mitigate risks to the information system."\n                          Due to the lack of adequate risk assessments, Bonneville\n                          may not have been able to effectively detect risks\n                          associated with the systems we reviewed.\n                          In some circumstances, Bonneville had not developed\n                          adequate contingency plans to ensure that information\n                          systems and data could be recovered in the event of a\n                          significant outage or disaster. For example, plans had been\n                          developed for only two of the four systems reviewed.\n                          However, one of the plans was never completed and the\n                          other did not cover more than 30 sub-systems. Subsequent\n                          to our site visits, Bonneville developed plans for 12 major\n                          sub-systems included in the CCS; however, plans for 22\n                          other sub-systems remained incomplete. Although\n                          Bonneville commented that recovery strategies were in\n                          place for the remaining sub-systems, our review of the\n                          contingency plan for the CCS revealed that these systems\n                          were not specifically covered by the plan. We also noted\n                          that Bonneville had not developed a business impact\n                          analysis to determine the impact to operations in the event\n                          of a disaster and to aid in prioritizing system restoration\n                          activities.\n\n                                               Security Planning\n\n                      We also identified problems with the security planning\n                      process at Bonneville. Specifically, Bonneville allowed\n                      system accreditations to expire and had not developed\n________________________________________________________________\nPage 2                                                       Details of Finding\n\x0c                      security plans for all systems. Even when developed, plans\n                      for each of the systems reviewed did not always provide\n                      information relevant to system-specific risks or controls to\n                      be implemented. For instance:\n\n                         \xe2\x80\xa2   While systems should be re-accredited for operation\n                             at least once every three years to account for\n                             changes in technology and related risks, Bonneville\n                             had permitted accreditations to expire for two of\n                             four systems reviewed. Bonneville officials noted\n                             that the systems with expired accreditations had\n                             been incorporated into another larger system and\n                             they had initiated action to re-accredit the larger\n                             system. However, the decision to incorporate the\n                             systems was not made until four months after the\n                             accreditations expired. The effort to re-accredit the\n                             system remained incomplete at the time we\n                             completed our review.\n\n                         \xe2\x80\xa2   Security plans had not been developed for various\n                             systems at Bonneville. NIST directs that major\n                             applications have their own security plan that\n                             describes relevant controls, including those that are\n                             inherited from a larger security plan. However,\n                             even though the CCS contained at least 12 major\n                             sub-systems, including those that contributed to the\n                             reliability of grid operations, security plans had not\n                             been developed to define control requirements\n                             unique to those systems. In addition, our review of\n                             the larger security plan revealed that it did not\n                             adequately describe which controls were to be\n                             inherited by the major sub-systems. The\n                             importance of developing system-specific plans was\n                             emphasized in a May 2007 report prepared by\n                             Bonneville system owners and the certification\n                             agent that disclosed that 144 of 235 system controls\n                             (61 percent) had findings associated with them and\n                             included a recommendation that security plans be\n                             developed for the 12 major sub-systems.\n\n                         \xe2\x80\xa2   Even when security plans were developed, they\n                             generally were incomplete and lacked descriptions\n                             of how minimum security controls were\n                             implemented to meet Federal requirements.\n                             Specifically, plans for all four systems reviewed\n                             excluded information critical to assessing risks to\n                             systems. For example, the security plan for the\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                             CCS did not adequately describe certain controls to\n                             be implemented in the areas of access controls and\n                             configuration management. Our review of the\n                             Business Information Technology (IT)\n                             Infrastructure System disclosed that officials had\n                             not documented, and were not aware of, the number\n                             of sub-systems and applications residing within this\n                             plan.\n\n                                       Security Control Testing\n\n                      Additionally, we identified problems with security control\n                      testing for each of the systems reviewed at Bonneville.\n                      Specifically, certification testing \xe2\x80\x93 a detailed review of an\n                      information system\'s security controls generally performed\n                      every three years \xe2\x80\x93 was either not performed or not\n                      adequately conducted. Required annual self-assessments of\n                      security controls were also not always completed. Without\n                      adequate control testing, management lacked assurance that\n                      security controls were operating as intended.\n\n                      We found that although Bonneville conducted control\n                      testing on its overall general support systems during the\n                      initial system certification activities, it did not test the\n                      effectiveness of controls on major sub-systems. In cases\n                      where certification testing occurred, it was sometimes\n                      inadequate or conclusions reached did not reflect the status\n                      of the control environment. For instance, we identified 29\n                      controls for the CCS that were rated as passing by the\n                      certification agent even though the system security plan\n                      and/or self-assessment documentation disclosed that the\n                      controls were not in place. Similar disparities were noted\n                      on the Business IT Infrastructure System. As a result,\n                      Bonneville officials may have been prevented from\n                      effectively taking corrective actions to address weaknesses\n                      in system controls because they lacked data on specific\n                      weaknesses that could have been exposed by testing.\n\n                      Although NIST notes that an effective information security\n                      program includes testing and evaluation of security controls\n                      at least annually, Bonneville had not conducted thorough\n                      annual self-assessments on any of the systems reviewed in\n                      years when certification testing had not occurred. We\n                      noted that Bonneville had implemented a continuous\n                      monitoring program that always assessed the same subset\n                      of controls each year. However, cyber security officials\n\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                      estimated that these assessments only tested about 20-25 of\n                      the 235 controls included in NIST Special Publication\n                      800-53. As such, this process did not meet the OMB\n                      requirement that "Agencies should develop an enterprise-\n                      wide strategy for selecting subsets of their security controls\n                      to be monitored on an ongoing basis to ensure all controls\n                      are assessed during the three-year accreditation cycle."\n\n                                           Corrective Actions\n\n                      Although OMB requires that plans of action and milestones\n                      (POA&M) be developed to assist in identifying, assessing,\n                      prioritizing, and monitoring the progress of corrective\n                      efforts for security weaknesses found in programs and\n                      systems, Bonneville had not always developed plans to\n                      address weaknesses in a number of control areas.\n                      Specifically, adequate POA&Ms or corrective action plans\n                      to track its efforts for correcting all identified weaknesses\n                      had not been developed. In particular, although a POA&M\n                      was developed for the CCS, detailed corrective action plans\n                      were not established for various weaknesses to show what\n                      tasks were to be completed, when they were to be\n                      completed, and who was responsible for monitoring the\n                      corrective actions. Bonneville also did not develop similar\n                      plans for its other systems. Absent adequate corrective\n                      action plans, Bonneville may have difficulty managing its\n                      progress towards eliminating gaps between required\n                      security controls and those that are actually in place.\n\nSecurity Approach     Many of the weaknesses identified occurred because\nand System Owner      management had not fully adopted a risk-based approach\nInvolvement           for identifying and implementing security controls over its\n                      information systems in accordance with Federal\n                      requirements. In addition, inconsistent involvement from\n                      system and information owners contributed to inadequate\n                      documentation and testing of cyber security controls.\n\n                                         Risk-Based Approach\n\n                      Although required by NIST, Bonneville management did\n                      not emphasize the importance of utilizing a risk-based, life-\n                      cycle approach to manage cyber security. In particular,\n                      Bonneville addressed security plans and tested the controls\n                      only during the certification process, which generally\n                      occurs only every three years. For instance, Bonneville had\n                      temporarily assigned an individual to develop the system\n                      security plan and assess security controls for the Business\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0c                      Enterprise System in 2004. However, after completing\n                      these activities, he was assigned to work elsewhere and no\n                      replacement was ever assigned to continue monitoring\n                      security controls.\n\n                      Additionally, responsible officials had not appropriately\n                      prioritized the application of resources towards cyber\n                      security activities to ensure an effective cyber security\n                      program. For example, key Bonneville executives and\n                      managers chose to dedicate resources to identifying and\n                      testing certain controls to meet the requirements of OMB\n                      Circular A-123 and North American Electric Reliability\n                      Corporation critical infrastructure protection standards.\n                      However, this effort did not comport with NIST\n                      requirements in that it did not ensure that cyber security\n                      controls on all systems within the organization were\n                      adequately implemented and tested.\n\n                      Bonneville officials acknowledged that the Administration\n                      needed to improve its C&A process but believed that C&A\n                      was but one component of its overall cyber security\n                      program. Management told us that in spite of the problems\n                      we identified with its risk management process, its systems\n                      were not in imminent danger of compromise. Bonneville\n                      noted that penetration and vulnerability testing performed\n                      by the Department\'s Office of Health, Safety and Security\n                      (HSS) in March 2007 had failed to gain control over its\n                      critical systems, including those that control power\n                      distribution. Although HSS did not gain control of any\n                      systems during the March 2007 testing, it did identify a\n                      number of high-risk configuration weaknesses and noted\n                      that "BPA had not fully considered cyber threats to the\n                      Control Center Network in their threat assessments and\n                      threat statement so that they can conduct valid risk\n                      assessments to identify and mitigate cyber security risks."\n                      While Bonneville commented that it had developed strong\n                      technical controls, a robust C&A process is necessary to\n                      ensure that such controls remain effective, adequately\n                      address risks, and are changed as needed over the system\n                      life cycle.\n\n                             System and Information Owner Involvement\n\n                      Although NIST directs that information and system owners\n                      actively participate in the security planning process,\n                      Bonneville did not adequately involve these key individuals\n                      in planning and developing controls. System and\n________________________________________________________________\nPage 6                                            Details of Finding\n\x0c                       information owners, who are not a part of the cyber\n                       security function, have the most direct knowledge of the\n                       system and the information it contains and also have\n                       primary responsibility for determining access and securing\n                       these resources. However, these key individuals were not\n                       consulted when deciding what security controls should be\n                       in place to protect systems or to ensure that the controls\n                       were operating as intended. Bonneville did not ensure that\n                       system and information owners devoted adequate attention\n                       toward securing the systems that protected critical\n                       information. Those individuals who had system and\n                       information owner responsibilities, such as developing\n                       security plans and risk assessments, had not been identified.\n                       Rather, Bonneville inappropriately left such tasks to its\n                       already small cyber security staff. To its credit, Bonneville\n                       had begun to develop cyber security manuals to identify\n                       security responsibilities for system and information owners.\n\nInformation Security   Without improvements, critical information systems\nand Assurance          maintained by Bonneville to protect national and economic\n                       security and contribute to public safety and health could\n                       potentially be disrupted. The need for a strong risk-\n                       management program becomes apparent when one\n                       considers that the number of cyber security incidents\n                       reported to the Department\'s Computer Incident Advisory\n                       Capability is at its highest level in three years. A further\n                       illustration of the importance of a robust cyber security\n                       program is shown in the results of a 2004 report regarding\n                       inappropriately protected systems. The report noted that\n                       the number of externally generated cyber incidents related\n                       to control systems had increased significantly in past years.\n                       In addition to these reported external attacks, Bonneville\'s\n                       systems could also be impacted by inadvertent or malicious\n                       acts of insiders, or disgruntled former employees. Without\n                       complete information, individuals responsible for\n                       approving systems for operation may continue to do so\n                       without fully understanding the risks associated with not\n                       implementing certain security controls.\n\nRECOMMENDATIONS        To address the issues identified in this report, we\n                       recommend that the Bonneville Administrator:\n\n                          1. Establish a risk-based, life-cycle approach for\n                             implementing its information security program that\n                             allows management and information owners to\n                             make informed and cost-effective decisions, to\n                             include:\n________________________________________________________________\nPage 7                               Recommendations and Comments\n\x0c                                a. Ensuring risks to information resources are\n                                   assessed periodically, including\n                                   development of contingency plans;\n\n                                b. Fully developing security plans and ensuring\n                                   that systems are timely accredited for\n                                   operation;\n\n                                c. Verifying that necessary security controls\n                                   are sufficiently tested for each system, to\n                                   include conducting annual control\n                                   assessments and ensuring that conclusions\n                                   reached are supported by the test results;\n                                   and,\n\n                                d. Maintaining a complete POA&M, to include\n                                   updated corrective action plans for all\n                                   identified weaknesses.\n\n                        2. Re-evaluate how to apply entity resources toward\n                           information security program efforts, to include\n                           actively engaging system and information owners\n                           outside of the cyber security function in risk-based\n                           decisions.\n\nMANAGEMENT           Bonneville expressed concerns with some of the assertions\nREACTION             made in the report, but concurred with the recommendations\n                     and indicated that it would develop a plan of action to\n                     address each of the identified weaknesses. Although\n                     Bonneville believed that it had an adequate risk assessment\n                     process, management agreed that it did not have sufficient\n                     risk-based C&A documentation and disclosed that it would\n                     work towards ensuring that systems are both secure and fully\n                     documented. Management also commented that it had made\n                     a number of improvements that should enhance its cyber\n                     security program.\n\nAUDITOR              Management\'s proposed and stated actions are responsive\nCOMMENTS             to our recommendations. We continue to believe that the\n                     implementation of strong risk management and C&A\n                     processes will enhance Bonneville\'s ability to protect it\n                     systems. As noted by OMB in its Federal Information\n                     Security Management Act reporting instructions, the C&A\n                     process provides a systematic approach for assessing\n                     security controls to determine their overall effectiveness,\n                     which is critical to determining the risk to an organization\'s\n                     operations and assets.\n________________________________________________________________\nPage 8                               Recommendations and Comments\n\x0cAppendix 1\n\nOBJECTIVE             To determine whether the Bonneville Power Administration\n                      (Bonneville) cyber security program adequately protected its\n                      data and information systems.\nSCOPE                 The audit was performed between October 2007 and August\n                      2008 at the Bonneville corporate offices.\nMETHODOLOGY           To accomplish our objective, we:\n                         \xe2\x80\xa2   Reviewed Federal regulations, Department of Energy\n                             (Department) directives, critical infrastructure\n                             protection standards, and guidance pertaining to\n                             certification and accreditation of information systems;\n                         \xe2\x80\xa2   Reviewed prior reports issued by the Office of\n                             Inspector General, the Government Accountability\n                             Office, and the Department\'s Office of Health, Safety\n                             and Security;\n                         \xe2\x80\xa2   Reviewed program-level policies relevant to security of\n                             information systems;\n                         \xe2\x80\xa2   Held discussions with program officials from\n                             Bonneville; and,\n                         \xe2\x80\xa2   Selected four systems for review to determine whether\n                             relevant cyber security requirements had been\n                             implemented.\n                      We conducted this performance audit in accordance with\n                      generally accepted Government auditing standards. Those\n                      standards require that we plan and perform the audit to obtain\n                      sufficient, appropriate evidence to provide a reasonable basis\n                      for our findings and conclusions based on our audit objectives.\n                      We believe the evidence obtained provides a reasonable basis\n                      for our findings and conclusions based on our audit objectives.\n                      The audit included tests of internal controls and compliance\n                      with laws and regulations to the extent necessary to satisfy the\n                      audit objective. Because our review was limited, it would not\n                      necessarily have disclosed all internal control deficiencies that\n                      may have existed at the time of our audit. We also assessed\n                      performance measures in accordance with the Government\n                      Performance and Results Act of 1993 relevant to security over\n                      information systems. We found that Bonneville had not\n                      established measures specific to this area. We did not rely on\n                      computer-processed data to satisfy our audit objective.\n                      Bonneville waived an exit conference.\n\n\n\n________________________________________________________________\nPage 9                              Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                     PRIOR REPORTS\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Special Report on Management Challenges at the Department of Energy (DOE/IG-\n       0782, December 2007). The Office of Inspector General (OIG) identified seven\n       significant management challenges facing the Department of Energy (Department),\n       including cyber security. The report noted that although the Department had in place\n       an aggressive effort to address existing weaknesses, we continued to identify\n       deficiencies, including problems relevant to the Department\'s certification and\n       accreditation (C&A) of unclassified information systems.\n\n   \xe2\x80\xa2    Audit Report on Continuity of Operations at Bonneville Power Administration\n       (DOE/IG-0781, November 2007). The OIG found that the Bonneville Power\n       Administration\'s (Bonneville) continuity of operations capability was not fully\n       compliant with Federal requirements. Specifically, Bonneville (1) needed to improve\n       its alternate operating capabilities for power scheduling and transmission scheduling;\n       (2) did not have specific devolution plans for power scheduling, transmission\n       scheduling, and system operations; and, (3) could not always provide evidence that its\n       Continuity of Operations Planning capabilities were periodically tested or that lessons\n       learned were identified and implemented.\n\n   \xe2\x80\xa2    Evaluation Report on the Department\'s Unclassified Cyber Security Program - 2007\n       (DOE/IG-0776, September 2007). The evaluation identified continued deficiencies in\n       the Department\'s cyber security program that exposed its critical systems to an\n       increased risk of compromise. In particular, weaknesses existed relevant to system\n       C&A, contingency planning, access controls, configuration management, and change\n       controls. Problems occurred, at least in part, because Department organizations had not\n       always ensured that Federal requirements, Department policies, and cyber security\n       controls were adequately implemented and conformed to Federal requirements, most\n       notably by field organizations and facility contractors.\n\n   \xe2\x80\xa2    Audit Report on Certification and Accreditation of Unclassified Information Systems\n       (DOE/IG-0752, January 2007). Many systems were not properly certified and\n       accredited prior to becoming operational. For example, 9 of 14 sites reviewed had not\n       always properly categorized security levels or risk of damage to major or general\n       support systems and information contained within, or had not adequately tested and\n       evaluated security controls. In many instances, senior agency officials accredited\n       systems although required documentation was inadequate or incomplete, such as\n       incomplete inventories of software and hardware included within defined accreditation\n       boundaries.\n\n   \xe2\x80\xa2   Audit Report on Management Controls over Selected Departmental Critical\n       Monitoring and Control Systems (OAS-M-05-06, June 2005). The OIG found that the\n       Department could not ensure that it could continue operations or quickly restore\n\n\n________________________________________________________________\nPage 10                                               Prior Reports\n\x0cAppendix 2 (continued)\n\n      selected critical monitoring and control systems in the event of an emergency.\n      Specifically, management had not fully assessed risks or taken adequate steps to\n      mitigate the foreseeable risks confronting the six critical monitoring and control\n      systems reviewed. This issue occurred because site management had not sufficiently\n      considered and periodically evaluated the risk that critical monitoring and control\n      systems would become inoperable and unable to be restored in a timely manner.\n\n  \xe2\x80\xa2    Audit Report on Power Marketing Administration Infrastructure Protection (OAS-B-\n      03-01, April 2003). Western Area Power Administration (Western) and Southwestern\n      Power Administration had not adequately assessed the vulnerabilities and risks for their\n      critical assets. Vulnerability and risk assessments at Western were inadequate because\n      management was primarily concerned about recovering from any disruption in\n      operations, regardless of its source.\n\n\n\n\n________________________________________________________________\nPage 11                                              Prior Reports\n\x0cAppendix 3\n\n\n\n\n________________________________________________________________\nPage 12                                      Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 13                                      Management Comments\n\x0c                                                             IG Report No. DOE/IG-0807\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0c'